Network Access Control: Is it Dead? The History of NAC and How the Evolving Cybersecurity Industry Changed It

As enterprise organizations continue to add BYOD, IoT devices, virtual servers/cloud services, switches, routers and offices that are connected and sharing information throughout the globe, the task of identifying and securing these endpoints can seem overwhelming. To manage these trends, about half the market had turned to (or are turning to) network access control (NAC) technology. The network access control market size was $681.3 million in 2015 and is estimated to reach roughly $2.65 billion by 2020[i].

Interestingly, at the end of 2016, only about half the market has adopted network access control technology. The general consensus at RSA 2017 was that endpoint security and automation needs expanded so quickly, that before network access control could even fully penetrate the market, the technology needs and requirements advanced. The best NAC solutions had to evolve to form the foundation of a more sophisticated Security Automation and Orchestration Solution (SA&O) that provides comprehensive endpoint security.

Many organizations have already realized that vendors who can only provide network access control for a wireless environment, or can only manage traditional NAC use cases like simple onboarding and guest management are severely behind the market.. Savvy companies are leap-frogging past network access control and moving directly to the more sophisticated and successful SA&O solutions. SA&O solutions not only control access, but also provide complete visibility, automate threat response, and record all contextual information with each alert, to speed the time to remediation. NAC is not dead, but successful NAC solutions have evolved; let’s look at the history of network access control to see why rapid evolution was required.

The History of NAC Solutions

The early versions of network access control functioned as a way to authenticate and authorize endpoints, primarily managed PCs, using simple scan-and-block technology. NAC solutions then evolved to address the emerging demand for managing and limiting guest access to corporate networks.

While these early NAC solutions provided control over traditionally managed endpoints, the unrelenting march to IoT and BYOD created unique challenges. IDC predicts global IoT revenue will reach $7.065B by 2020, more than triple the $2.712B in 2015[ii]. BYOD also continues to grow, with IDC forecasting US mobile employees growing from 96.2 million in 2015 to 105.4 million mobile workers in 2020. This growth would mean more than 72 percent of the total workforce qualifies as a mobile worker[iii]. The explosion of these endpoints creates an expanded perimeter that must be contained.

The most formidable challenge is that there is virtually no device configuration standardization for BYOD or IoT. There are hundreds of permutations of device type, brand, operating system and security health status, most without any enterprise grade security, and it’s getting even more complex. From robots, heat monitors, and insulin pumps, to HVAC sensors and automated security access, the number of IoT devices that are connecting to networks is increasing at a staggering pace.

Enterprise organizations also face the need to secure IoT devices in two different ways. First, many companies are now selling, or planning to sell, IoT enabled products that connect back to their networks to provide valuable information on product use and maintenance needs. Companies are rolling out IoT-enabled products for almost everything, from large wind powered turbines and trains, to office printers and security cameras. Without 100% visibility, it is impossible for organizations to see how and where an attack started, making it difficult to remediate the attack and prevent similar incursions.

The second IoT challenge is that more enterprises are buying and incorporating IoT enabled devices from other vendors, IoT devices are used to monitor and control the mechanical, electrical and electronic systems used in various types of buildings. While these devices save time and simplify operations (for example, they can email you when you are low on toner or automatically re-order), they also offer another avenue for hackers to access enterprise networks.

Mobile and IoT endpoints expanded the network attack surface significantly and cyber criminals noticed. Endpoints represent one of the weakest points in the network and are prime targets. In fact, as much as 65% of data breaches start on endpoint devices[iv]. You have to be able to see where each device is, what it is doing, how it is interacting with other devices as well as the entire network topology for both current and forensic threat investigation. But visibility alone is not enough, to be successful, NAC solutions had to evolve into SA&O to fully secure these endpoints.

With this massive proliferation of endpoints, it is impossible for IT groups to secure, provision and manage alerts for all of these endpoints. NAC solutions had to evolve into SA&O to automate provisioning, remediation, triage and quarantine. All devices must be automatically checked to ensure each complies with the minimum network security standards. If the device required updates, SA&O solutions can shift users to a help page to self-remediate. If a device is suspicious or dangerous, the best SA&O solutions can automatically triage and quarantine the device in real-time, before it can reach network data or cause damage. It can then send that alert, along with contextual information, to a security analyst for immediate follow-up.

Furthermore, security threats are expanding and changing at a frantic pace. To combat zero-day exploits, organizations need real-time automated threat response that offers granular policies tied to both the user and the device. Enterprise organizations realize that comprehensive security now requires integrating several best-of-breed security solutions. This was another driving factor in the evolution of network access control into security orchestration and automation. Organizations needed SA&O to aggregate the security data from different sources into one central view, so all threat data and alerts can be viewed through one pane of glass.

What to look for in an endpoint security solution

The best SA&O solutions enable an organization to see all endpoints and integrate information from multiple security sources into a single, comprehensive view using just one instance of the solution. To accomplish this, the solution needs to communicate and exchange information with all network devices, rather than requiring an access control solution for each network segment. Companies should start by looking for a vendor-agnostic solution that supports all best-of-breed technologies, is proven, scalable and offers multiple deployment options for physical devices, virtual appliances, and cloud services. A good SA&O solution should also meet the following criteria:

Flexible connectivity support – The solution must be vendor-agnostic and support all wired and wireless connectivity sources across the entire network.

Broad range of device support – New generations of IoT, mobile and gaming devices enter the market every few months, security solutions must work together to protect every endpoint and network device.

High level of automation – IT security professionals are stretched thin in most organizations. Any security device that’s brought in must support a high level of automation so that it does not drain already limited IT resource. This should include user self-provisioning, self-remediation and automated threat response.

Real-time threat response – For endpoints that could pose a potential threat, organizations need automated, real-time threat response that can quarantine suspect devices immediately, then forwards the alert and context to a security analyst for remediation.

Granular policies – Endpoint security solutions must support very specific levels of access for both the user (right time, right place) and the device (right device, security updates, etc.).

Integration with other security solutions – SA&O must seamlessly integrate and leverage the data of other best-of-breed security solutions in order to form a much stronger, secure enterprise network infrastructure.

Scalable to support rapid growth – An enterprise SA&O solution must provide a scalable architecture that can support multiple locations across the enterprise, and virtually unlimited devices with one instances of the security solution.